ISHOSTS32.exe

Discussion in 'malware problems & news' started by PCrookie, Feb 14, 2005.

Thread Status:
Not open for further replies.
  1. PCrookie

    PCrookie Registered Member

    Joined:
    Dec 17, 2004
    Posts:
    5
    Location:
    PA, USA
    Hello,
    ISHOSTS32.exe is TRYING to run on my computer. I deny it each time using avast software (which is alerting me of the problem). I am a rookie. Can anyone tell me if this is a nice exe or a bad exe? Thank you. I am an explorer user, using windows xp with all the upgrades.
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Yes, this looks like a baddy. Can you give us the file path and exact name given by avast? If it is listed as running in Task Manager you should try 'ending the process' there. Also you could click Start/Run/msconfig to see whether it is listed in the Startup tab.

    In the first instance you could try the following routine, which may enable Avast to deal with it:-

    To start with you should disable system restore as per here:- http://www.bleepingcomputer.com/forums/tutorial56.html

    Then clear out all your temp files, and the easy way to do that is by downloading CCleaner from here:- http://www.ccleaner.com/

    Then you need to open Windows Explorer and:-
    1. Select "Tools" from the menu on top.
    2. Select "Folder Options".
    3. Select the "View" tab.
    4. Scroll down and Select "Show hidden files and folders".
    5. Unselect "Hide extentions for known file types".
    6. Unselect "Hide protected operating system files".
    7. If you get a "warning" prompt, say yes you want to do it anyway.
    8. Click Apply and Ok.

    Finally you should go into Safe Mode; see here:- http://www.bleepingcomputer.com/forums/tutorial61.html

    and do a full system scan with your AV.

    Let us know whether this helps.
     
  3. PCrookie

    PCrookie Registered Member

    Joined:
    Dec 17, 2004
    Posts:
    5
    Location:
    PA, USA
    Thank you for your answer. It didn't look nice. I understand what you are telling me to do... mainly, because I had to followed Blackspear's General virus and trojan removal instructions in the beginning of the year :( . THAT gave me a huge lesson in understanding my computer.
    If I go into Spybot, using advanced mode under the System startup tool... it shows up with a "key value" of HK_LM:RunServices and a "value" of LSASS Authority. Under task manager ISHOSTS32 does not show up but LSASS does...
    It is not listed at all under the Start/run/msconfig....
    I can not remember what Avast listed. If I restart my computer with out changing sys restore ... the warning would show again.

    I will be embarrassed if this is something I've requested.

    I'll let you know what happens. Wish me luck. Thank you again.
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Just to let you know that C:\WINDOWS\system32\lsass.exe is part of the Windows operating system and therefore lsass.exe will appear as a process in Task Manager. But there are several 'bad' files that call themselves lsass.exe and have a slightly different file path. So you should investigate if you are running more than one example of this prog. Also note that lsass.exe should not normally appear as a startup in Msconfig, if it does it will probably be bad.

    Actually, lsass.exe handles Windows security mechanisms, so it could be that ISHOSTS32.exe is giving itself priviledges by invoking lsass. Or maybe it is just getting lsass to run it as a Service - in that way it will run at bootup but will not appear as an autorun. A lot of trojans these days are running as services. Look in the 'Services' tab of msconfig to see if you can find a likely candidate there. Also, by clicking Start/Control Panel/Performance & Maintenance/Administrative Tools/Services, you can bring up a box to check on and disable Services.

    Make a note of what Avast tells you and let us have that info. By the way if you have done the cleaning procedure before, you may have downloaded an AT, such as Ewido, it would be good to know what that has to say about this!
     
    Last edited: Feb 14, 2005
  5. SKILMORHILLS

    SKILMORHILLS Guest

    Hi, I'm an amature computer programmer on a Macintosh with a DELL Inspiron 8100 as my right hand operator. This ISHOSTS32.exe is becoming more popular. It is an AIM virus/trojan and has infected all my friends. It downloads as a .pif file and takes identity as an away message: "VALENTINES DAY PICTURES HERE" and then it has it's own servers that i've looked into....It used to run off of service24.com and now it runs off of a different one. You should come up w/ a good remedy to get rid of it and PUBLISH it widely

    Please Contact me with further info:
    ~snip~ removed email to prevent it being harvested - snap
    aim: skiandfilm3tja
     
    Last edited by a moderator: Feb 16, 2005
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Once your system is clean, you may want to take a look here for further discussion on security and how to make your system that much stronger and here for more.

    This is what works really well for me, very simple to use and maintain.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  8. PCrookie

    PCrookie Registered Member

    Joined:
    Dec 17, 2004
    Posts:
    5
    Location:
    PA, USA
    Hello... i'm sorry, I don't know how to use quote... I'll make sure I learn for my next post. I do want to say that I am still working this problem with ISHOSTS32 and now, something else seems to have invaded my computer. The interesting thing... I did allow my son to sign up for an AIM id in February....right after I cleaned up my PC so nicely! At this point, I can sign onto the internet but nothing else. (No websites, no updating of programs) I do receive mail in outlook. I'm on a different computer right now trying to research what my scans are finding on my pc. Wish me luck and I will let you know what happens... I so badly want to change my browser from explorer! Thank you for the information all of you. :doubt:
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have you tried running through the comprehensive steps found in General Cleaning

    Let us know how you go...

    Cheers :D
     
  10. PCrookie

    PCrookie Registered Member

    Joined:
    Dec 17, 2004
    Posts:
    5
    Location:
    PA, USA
    I have. I am a faithful follower of that particular thread. It has helped on two computers that i've cleaned here at home. Here is where I am... I used the AIMFIX and it deleted out the ISHOSTS32.exe.. is that good, I don't know. I'm running Avast in safe mode right now. It shows this other infected file, it has shown up since the whole ISHOSTS32.exe started... Windows/explorer.exe/wxbgy:$data I can not move it to the infection chest. Out of desperation, i tried deleting it to recycle bin and it wouldn't let me. I tried looking on google for information and can find none. I can tell that my pc is not running right. I'm afraid to delete the file completely bc of the explorer.exe part. Does anyone know if this is an ok file? I'm clueless again. Also, I ran a trojan scan in safe mode and came up with a bunch of data stream errors... is that possible when i'm using XP? I believe I'm in over my head and sinking FAST!!! Thanks for any information.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Towards the end of General Cleaning you will find instructions for posting a Hijack This Log file at a ASAP forum, I would suggest that you head in that direction at this point.

    Let us know how you go...

    Cheers :D
     
Loading...
Thread Status:
Not open for further replies.